Tallinn 2.0 refines the law of cyberattacks

Legally speaking, what can a nation do when its election system is hacked by another country? That's just one of the many kinds of cases the new Tallinn Manual on the International Law Applicable to Cyber Operations attempts to address.

The new book, authored by 19 international legal experts, is an update to the 2013 "Tallinn Manual" that was commissioned by the NATO Cooperative Cyber Defense Center of Excellence.

The original manual grew out of Russia's cyber attacks on Estonia in 2007 and Georgia in 2008, when NATO's CCD COE decided to convene a group of legal experts to evaluate how existing laws of war applied to the emerging cyber domain.

The 2013 manual was designed to address cases like the Stuxnet virus or the use of cyber during armed conflict, said Liis Vihul, the managing editor of the manual, at a launch event at the Atlantic Council in Washington.

"While we were writing the first Tallinn manual we were acutely aware of the fact that even though those types of incidents are the most critical from a national security perspective, states on a day-to-day basis are not grappling with these types of issues," she said.

The new version explores analysis of peacetime laws and how they apply to recent cases like the Sony, OPM and DNC hacks that are considered "below the threshold" of armed conflict.

Like the original, the updated manual does not represent official NATO policies or views, and is billed as an academic resource for states and the international community to use as a guide to establish international norms and legal regimes around cyber.

"It's meant for primarily state legal advisors to assist them in thinking through the legal issues that arise," Vihul said, "when either their states are planning to engage in certain types of cyber operations or when their states are taking hits from abroad and to assess what the international law implications in these situations are."

The book consists of 154 black letter rules of international law with commentary on the rules and debates between the lawyers who wrote the manual.

Michael Schmitt, a law professor at U.S. Naval War College and one of the scholars who wrote the Tallinn Manual, said the areas of consensus are not the most important piece of the book.

"It's where we disagreed, because that's where the play should be with regard to states," he said. "States should be looking at areas where we disagreed and saying, 'that's where states need to roll into the game and start firming up the norms.'"

Schmitt said the book makes clear that existing law and norms are significant, but do not provide all the answers.

"We wanted to give people at [U.S. Cyber Command] a tool which they could use as they begin to deconstruct what had just happened, and how they could respond to it within the framework of international law," he said.

There are a number of "gray areas" of international law, he said, and there will be ongoing debate about what constitutes a cyber act of war or war crime – such as destroying critical civilian data -- and what is a violation of a nation's sovereignty in cyberspace.

"We agreed almost across the group that you can have a cyber operation that is not destructive and is not injurious, but it could qualify as a use of force," Schmitt said, though he added that not all cases of cyber use of force would allow the victim to respond with force.

Schmitt said the book uses the example of elections to highlight the legal principle of "domaine réservé" or the prohibited intervention into the domestic affairs of another nation. He argued that Russia committed a prohibited intervention into the U.S. election by hacking the DNC and releasing data, but that the law is far from settled in that case.

"The Russians have selected an area of law in which to operate in which it will hard for states to come to a consensus that [Russia] violated international law," he said. "We will be squabbling among each other in the interagency process and the international process over did they do it and did they violate international law or not."

Schmitt said if the West isn't more forceful in response to actions like Russia's election interference and information operations, opponents will continue to "play in this gray area."